git: 932ec59d9996 - main - pf: fix ICMP type/code representation
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 02 Sep 2025 21:10:49 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=932ec59d9996af2dda50287d56186708d8388539
commit 932ec59d9996af2dda50287d56186708d8388539
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-08-12 09:35:22 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-09-02 21:10:19 +0000
pf: fix ICMP type/code representation
internal representation of icmp type/code in pfctl(8)/pf(4) does not
fit into u_int8_t. Issue has been noticed and kindly reported by
amalinin _at_ bh0.amt.ru via bugs@.
OK bluhm@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 1fdb608f55
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
lib/libpfctl/libpfctl.c | 6 ++++--
lib/libpfctl/libpfctl.h | 4 ++--
sbin/pfctl/parse.y | 4 ++--
sys/net/pfvar.h | 4 ++--
sys/netpfil/pf/pf_nl.c | 6 ++++++
sys/netpfil/pf/pf_nl.h | 2 ++
sys/netpfil/pf/pf_nv.c | 7 +++++--
7 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 0037f31df04b..190ee46baf21 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -1284,8 +1284,8 @@ snl_add_msg_attr_pf_rule(struct snl_writer *nw, uint32_t type, const struct pfct
snl_add_msg_attr_u8(nw, PF_RT_KEEP_STATE, r->keep_state);
snl_add_msg_attr_u8(nw, PF_RT_AF, r->af);
snl_add_msg_attr_u8(nw, PF_RT_PROTO, r->proto);
- snl_add_msg_attr_u8(nw, PF_RT_TYPE, r->type);
- snl_add_msg_attr_u8(nw, PF_RT_CODE, r->code);
+ snl_add_msg_attr_u16(nw, PF_RT_TYPE_2, r->type);
+ snl_add_msg_attr_u16(nw, PF_RT_CODE_2, r->code);
snl_add_msg_attr_u8(nw, PF_RT_FLAGS, r->flags);
snl_add_msg_attr_u8(nw, PF_RT_FLAGSET, r->flagset);
snl_add_msg_attr_u8(nw, PF_RT_MIN_TTL, r->min_ttl);
@@ -1694,6 +1694,8 @@ static struct snl_attr_parser ap_getrule[] = {
{ .type = PF_RT_SRC_NODES_ROUTE, .off = _OUT(r.src_nodes_type[PF_SN_ROUTE]), .cb = snl_attr_get_uint64 },
{ .type = PF_RT_PKTRATE, .off = _OUT(r.pktrate), .arg = &pfctl_threshold_parser, .cb = snl_attr_get_nested },
{ .type = PF_RT_MAX_PKT_SIZE, .off =_OUT(r.max_pkt_size), .cb = snl_attr_get_uint16 },
+ { .type = PF_RT_TYPE_2, .off = _OUT(r.type), .cb = snl_attr_get_uint16 },
+ { .type = PF_RT_CODE_2, .off = _OUT(r.code), .cb = snl_attr_get_uint16 },
};
#undef _OUT
SNL_DECLARE_PARSER(getrule_parser, struct genlmsghdr, snl_f_p_empty, ap_getrule);
diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h
index f6c8f6a2ccdb..da16d5179ec0 100644
--- a/lib/libpfctl/libpfctl.h
+++ b/lib/libpfctl/libpfctl.h
@@ -261,8 +261,8 @@ struct pfctl_rule {
uint8_t keep_state;
sa_family_t af;
uint8_t proto;
- uint8_t type;
- uint8_t code;
+ uint16_t type;
+ uint16_t code;
uint8_t flags;
uint8_t flagset;
uint8_t min_ttl;
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 59c27d1f5d7c..dce5800df27a 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -166,8 +166,8 @@ struct node_gid {
};
struct node_icmp {
- u_int8_t code;
- u_int8_t type;
+ uint16_t code;
+ uint16_t type;
u_int8_t proto;
struct node_icmp *next;
struct node_icmp *tail;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index cf6d2508cf65..3761ddae814f 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -860,8 +860,8 @@ struct pf_krule {
u_int8_t keep_state;
sa_family_t af;
u_int8_t proto;
- u_int8_t type;
- u_int8_t code;
+ uint16_t type;
+ uint16_t code;
u_int8_t flags;
u_int8_t flagset;
u_int8_t min_ttl;
diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c
index 45b5b8dd5fef..763079ea651a 100644
--- a/sys/netpfil/pf/pf_nl.c
+++ b/sys/netpfil/pf/pf_nl.c
@@ -763,6 +763,8 @@ static const struct nlattr_parser nla_p_rule[] = {
{ .type = PF_RT_RCV_IFNOT, .off = _OUT(rcvifnot), .cb = nlattr_get_bool },
{ .type = PF_RT_PKTRATE, .off = _OUT(pktrate), .arg = &threshold_parser, .cb = nlattr_get_nested },
{ .type = PF_RT_MAX_PKT_SIZE, .off = _OUT(max_pkt_size), .cb = nlattr_get_uint16 },
+ { .type = PF_RT_TYPE_2, .off = _OUT(type), .cb = nlattr_get_uint16 },
+ { .type = PF_RT_CODE_2, .off = _OUT(code), .cb = nlattr_get_uint16 },
};
NL_DECLARE_ATTR_PARSER(rule_parser, nla_p_rule);
#undef _OUT
@@ -984,8 +986,12 @@ pf_handle_getrule(struct nlmsghdr *hdr, struct nl_pstate *npt)
nlattr_add_u8(nw, PF_RT_AF, rule->af);
nlattr_add_u8(nw, PF_RT_NAF, rule->naf);
nlattr_add_u8(nw, PF_RT_PROTO, rule->proto);
+
nlattr_add_u8(nw, PF_RT_TYPE, rule->type);
nlattr_add_u8(nw, PF_RT_CODE, rule->code);
+ nlattr_add_u16(nw, PF_RT_TYPE_2, rule->type);
+ nlattr_add_u16(nw, PF_RT_CODE_2, rule->code);
+
nlattr_add_u8(nw, PF_RT_FLAGS, rule->flags);
nlattr_add_u8(nw, PF_RT_FLAGSET, rule->flagset);
nlattr_add_u8(nw, PF_RT_MIN_TTL, rule->min_ttl);
diff --git a/sys/netpfil/pf/pf_nl.h b/sys/netpfil/pf/pf_nl.h
index 87daac393821..b60d3d4797c6 100644
--- a/sys/netpfil/pf/pf_nl.h
+++ b/sys/netpfil/pf/pf_nl.h
@@ -283,6 +283,8 @@ enum pf_rule_type_t {
PF_RT_SRC_NODES_ROUTE = 81, /* u64 */
PF_RT_PKTRATE = 82, /* nested, pf_threshold_type_t */
PF_RT_MAX_PKT_SIZE = 83, /* u16 */
+ PF_RT_TYPE_2 = 84, /* u16 */
+ PF_RT_CODE_2 = 85, /* u16 */
};
enum pf_addrule_type_t {
diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c
index 89486928e6e1..2f484e2dabc6 100644
--- a/sys/netpfil/pf/pf_nv.c
+++ b/sys/netpfil/pf/pf_nv.c
@@ -505,6 +505,7 @@ int
pf_nvrule_to_krule(const nvlist_t *nvl, struct pf_krule *rule)
{
int error = 0;
+ uint8_t tmp;
#define ERROUT(x) ERROUT_FUNCTION(errout, x)
@@ -610,8 +611,10 @@ pf_nvrule_to_krule(const nvlist_t *nvl, struct pf_krule *rule)
PFNV_CHK(pf_nvuint8(nvl, "keep_state", &rule->keep_state));
PFNV_CHK(pf_nvuint8(nvl, "af", &rule->af));
PFNV_CHK(pf_nvuint8(nvl, "proto", &rule->proto));
- PFNV_CHK(pf_nvuint8(nvl, "type", &rule->type));
- PFNV_CHK(pf_nvuint8(nvl, "code", &rule->code));
+ PFNV_CHK(pf_nvuint8(nvl, "type", &tmp));
+ rule->type = tmp;
+ PFNV_CHK(pf_nvuint8(nvl, "code", &tmp));
+ rule->code = tmp;
PFNV_CHK(pf_nvuint8(nvl, "flags", &rule->flags));
PFNV_CHK(pf_nvuint8(nvl, "flagset", &rule->flagset));
PFNV_CHK(pf_nvuint8(nvl, "min_ttl", &rule->min_ttl));